At least one malicious actor began exploiting a critical vulnerability in Apache Struts in the wild, despite a patch being issued last week.
According to researchers at Volexity, a cybersecurity company based in Washington, D.C., the exploits of the Apache Struts vulnerability surfaced in the wild not long after a proof-of-concept (PoC) exploit was published publicly on GitHub.
The Apache Software Foundation posted a security bulletin about the vulnerability — tracked as CVE-2018-11776 — on Aug. 22, 2018, and said that a remote code execution attack is possible “when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”
The flaw, which was discovered and reported in April by security researcher Man Yue Mo of Semmle Inc., a software analytics company based in San Francisco, affects Struts 2.3 through 2.3.34 and Struts 2.5 through 2.5.16. Apache patched the vulnerability and noted that upgrading to version 2.3.35 or 2.5.17 would solve the problem. However, only a day after Apache posted its security bulletin, a researcher posted a PoC exploit on GitHub.
“Shortly after the PoC code was released, Volexity began observing active scanning and attempted exploitation of the vulnerability across its sensor network,” Volexity researchers said in a blog post. “The in-the-wild attacks observed thus far appear to have been taken directly from the publicly posted PoC code.”
The researchers also noted that the vulnerability is “trivial to exploit” and has already seen at least one malicious actor attempt to exploit it “en masse in order to install the CNRig cryptocurrency miner.”
“Although the main payload for Apache Struts exploits appears to be cryptocurrency miners, failure to patch also leaves an organization open to significant risk that goes beyond cryptomining.”
In 2017, another Apache Struts vulnerability — enabling remote code execution exploits — was disclosed; shortly after that disclosure, the vulnerability was exploited in the massive Equifax data breach that exposed 148 million U.S. consumers’ personal data.
Enterprises and users are encouraged to update to the patched versions of Apache Struts immediately so as not to become the next victim of an Equifax-like data breach.
In other news:
- Facebook removed its own security app, Onavo Protect, from Apple’s App Store this week because of its privacy issues. Onavo is a free VPN app that Facebook acquired in 2013 to collect data on how much its users use other mobile apps. Apple updated its App Store rules in June to ban the collection of information about other apps installed and in use on mobile devices. Apple reportedly urged Facebook to voluntarily remove the app from the App Store after Apple ruled that Onavo violated its new data collection policies. Onavo was downloaded more than 33 million times on both iOS and Android devices, and while it is no longer available in the App Store, it is still on offer in the Google Play
- NIST published guidance this week on securing wireless infusion pumps after research over the past few years has shown the vulnerabilities in the internet-connected medical devices. The guidance, NIST SP 1800-8 “Securing Wireless Infusion Pumps in Healthcare Delivery Organizations,” suggests a defense-in-depth strategy for protecting wireless infusion pumps. “This strategy may include a variety of tactics: using network segmentation to isolate business units and user access; applying firewalls to manage and control network traffic; hardening and enabling device security features to reduce zero-day exploits; and implementing strong network authentication protocols and proper network encryption, monitoring, auditing, and intrusion detection systems (IDS) and intrusion prevention systems (IPS),” the guidance This special publication is part of NIST’s ongoing effort to secure IoT devices.
- A researcher at Check Point uncovered new malware that hijacks browsers. A rootkit called CEIDPageLock is being distributed by the RIG Exploit kit, according to Check Point’s Israel Gubi. “It acts to manipulate the victim’s browser and turn their home-page into a site pretending to be 2345.com — a Chinese web directory,” Gubi explained, adding that it “monitors user browsing and dynamically replaces the content of several popular Chinese websites with the fake home page, whenever the user tries to visit them.” He said that CEIDPageLock targets Chinese victims specifically.